Developer Productivity

SBOMs & Supply Chain Security: A Practical npm Audit Workflow

Dependency trees grow faster than anyone audits them. Here is a concrete workflow for generating SBOMs, triaging npm audit output, and knowing which alerts are actionable.

Feature Desk8 min read

The npm ecosystem installs fast because it installs everything. An innocent npm install react pulls in over a thousand packages. Every one of those packages is a vector.

Software Bill of Materials (SBOMs) emerged as the industry answer. An SBOM is a machine-readable inventory of every component in your application.

Generating an SBOM from npm

Run: npm sbom --sbom-format=cyclonedx > sbom.cyclonedx.json

This produces a CycloneDX document listing every direct and transitive dependency with version, license, and registry metadata.

The triage pipeline: turning alerts into decisions

Run npm audit --json and filter for high and critical severity. Then review each against three rules:

Rule 1: Is the vulnerable function reachable from your code? Rule 2: Is the vulnerability in a development dependency? Rule 3: Is there a known fix or a safe version range?

Most CVEs reported by npm audit are real vulnerabilities that your specific application cannot reach.

Automating SBOM generation in CI

Set up a GitHub Actions workflow that runs npm sbom on every push and uploads the result as an artifact. For extra confidence, upload to a dependency-analysis service like Dependency-Track.

The one thing that actually prevents supply chain attacks

Never use npm install in CI. Run npm ci with a committed lockfile. npm verifies every package against its stored integrity hash before extracting. If the tarball does not match, the install fails. This is the single most impactful security practice.

Takeaways

  • Generate an SBOM every build.
  • Triage audit output: focus on reachable, runtime, unpatched vulnerabilities.
  • Automate SBOM generation in CI.
  • Never run npm install in CI. Use npm ci with integrity verification.

Related briefs